<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

Feature Spotlight: Declarations of Policy Violation™

One of the new, exciting innovations available with the release of Stamus Security Platform (SSP) U 40 is the inclusion of Declarations of Policy Violation™ (DoPV). This new class of auto-prioritized security event is an excellent way to get definitive notifications of policy violations taking place on your organization’s network. In this feature spotlight, we will explain what the new DoPVs are, what information they include, and how you can use them to uncover unwanted activity at your organization. 

What is a DoPV?

In simple terms, a Declaration of Policy Violation (also known as a DoPV) are high-confidence and high-priority notifications of severe security events related to the predefined security policy of your organization and activities you have set as “unauthorized”. These are similar to the Declarations of Compromise™ (DoCs) that you are likely already familiar with, but unlike a DoC which is triggered by a threat on an asset, DoPVs are triggered by unauthorized activities or policy violations such as clear text passwords, outdated TLS versions, insecure cypher suites, and TOR browser usage.

DoPVs can be viewed in the operational center immediately next to Declarations of Compromise.

DoPVs are linked to assets and threats, enabling the user to quickly understand which host has been compromised and what specific policy was violated. As we can see in the image below, this DoPV was triggered by the presence of a clear text password originating from one of our assets. 

The Stamus Security Platform currently offers a broad coverage of general policy violation detections, such as Potential Data Leakage (clear text passwords, abused file sharing services, etc) and Adware. Additional policy violation detection will be added in future releases. Because each organization has its own unique set of policies, SSP users are encouraged to create their own custom policy violations in order to get the most out of the new feature. 

Creating Custom Declarations of Policy Violation

SSP users can elevate any security event to a policy violation, thus creating a detection strategy that will fit any organization’s unique internal policies. This process is similar to the one used to create a custom Declaration of Compromise. 

In the example above, the organization has asked the SSP admin to create a custom DoPV to detect and alert upon an FTP application being used to and from specific servers. To do so, the detection method “ET CHAT IRC JOIN command” from a specific source and destination has been elevated to a DoPV. In the future, whenever this detection method will trigger on the IPs mentioned, it will trigger a DoPV. 

When a DoPV has been detected by the SSP, users can tag it as either informational or relevant

By doing so, future DoPVs from that category will already be tagged. This mechanism will help SSP users classify the information faster.

DoPVs and Automated Response

The Stamus Security Platform is fully integrable with third party softwares and tools, thus integrating seamlessly into your organization’s security stack. 

As a result, there are several possible workflows that can be automated when a DoPV alert is triggered: 

  • Ticketing Systems: SSP is capable of creating a ticket in your corporate ticketing system, thus facilitating threat notification and workflow.
  • SIEM: SSP is capable of sending alerts, such as DoCs, security events, and DoPVs to your organization’s SIEM. This mechanism will provide a single pane of glass for threat hunting and notifications. SSP supports a native integration with Splunk and can also send syslogs to any SIEM accepting this format. 
  • Webhooks: SSP provides the ability to set up an outgoing webhook upon a DoPV to allow users to notify third party tools, such as enterprise chat applications. Webhooks also allow interaction with EDRs to increase the speed of incident response.
  • Email: When a DoPV is triggered, it is now possible to send the details of the alert to a mail address, enabling seamless notifications.

What information does SSP capture with a DoPV?

A DoPV contains the same information one would find in a Declaration of Compromise. The alert will contain a broad range of data points:

  • Network information such as destination and source IP, subnet ID
  • Protocol information such as the protocol, the prot and the application protocol used for the transaction
  • Detection method ID, name, and severity
  • Flow information such as bytes to server and client and number of packets
  • File information such as the filename and hash
  • Geo IP
  • Stamus Method / DoPV information such as threat and family name and kill chain phase

As example view of the information available in a DoPV alert can be seen below:

How do DoPVs make work easier?

DoPVs will proactively highlight any policy violation within your network. By integrating with your cybersecurity and incident response stack, DoPVs will make tracking, notifying and incident response faster and more accurate. 

Unlike a DoC, which alerts organizations to high-priority external threats, DoPV coverage extends to any activities that are considered “unauthorized”, thus bringing many high-risk activities into the spotlight that are often only caught by proactive threat hunting. Now, SSP users can quickly understand the state of their network and organization directly from the operational center, seeing both attacks on assets (DoCs) and unauthorized activity that may not necessarily be malicious, but still poses a risk to the organization (DoPVs). 

How to Get Started with Declarations of Policy Violation:

As a new customer, you will automatically benefit from the DoPV feature as it is native to u40, the latest version of the SSP. If you are an existing customer, upgrading to u40 will let you benefit from this new feature. 

Once you are using the latest version of Stamus Security Platform, you can start by navigating to the operational center and check if a policy violation was detected in your environment.

In addition, you can also take a look at the policy violations predefined filters in the hunting dashboard and start creating custom DoPVs – as described above – to enhance policy violation detection within SSP.

Conclusion

Declarations of Policy Violation are very helpful for enterprise security teams looking to cut through the noise of their alerts and quickly gain an understanding of the unauthorized or otherwise unwanted activity happening on their network. 

To stay updated with new blog posts from Stamus Networks, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.

Clément Genetet

Schedule a Demo of Stamus Security Platform

REQUEST A DEMO

Related posts

Feature Spotlight: Custom Report Generator

In today’s digital landscape, enterprise networks produce an overwhelming volume of data when...

Feature Spotlight: Attack Surface Inventory

As all cybersecurity defenders know, visibility into the network is the key to understanding what...